Splunk Search

How can I extract a field using rex that fulfils more than one condition?

bsinsan
Observer

So I want to extract the last word as a field on each search result but want to grab those that only fulfils the following conditions:

1) the last word before space

2) exclude those with a period "." right after the last word

sample events:

the current status is START system goes on …

the current status is STOP please do …..

the current status is PENDING.

And my rex will extract the words from “status is “ and the word right after, but if that word has a period right after, I don’t want to extract.


I only been able to retrieve everything using the following, but not able to exclude those with a period right after.

rex field=_raw "status is\s(?<status>[^\s]+)"

Labels (1)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

As ever, solving rex questions are easier if you provide some sample events, preferably in a code block </> to avoid loss of formatting information.

0 Karma

bsinsan
Observer

Thanks for your comments I have added more details.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You don't need to specify field=_raw as this is the default field. Anyway, you just need to follow your extraction with a space.

| rex "status is\s(?<status>[^\s]+)\s"
0 Karma

bsinsan
Observer

Thanks but unfortuately this does not work for me.  I'm still getting results for these:

 

ACTIVE

PENDING.

INACTIVE

I only want ACTIVE and INACTIVE in this case.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please share the events which are not working for you as the suggested solution works with the sample events you have provided so far

| makeresults
| eval _raw="the current status is START system goes on …
the current status is STOP please do …..
the current status is PENDING."
| multikv noheader=t
| table _raw
| rex "status is\s(?<status>[^\s]+)\s"

It is usually best to provide accurate samples, it tends to reduce the amount of wasted time!

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...